Zero Trust Network Access (ZTNA)

Addressing the OWASP Top 10 Application Security Risks with Web Application Isolation: #4 Insecure Design

Insecure Design is a newer category of risk that debuted in 2021 as #4 on the list of  OWASP Top 10 threats. It is a very broad category that covers a range of design flaws that result in missing or ineffective controls. In their introduction of this risk, OWASP stresses that because defects in design cannot be fixed by rigorous implementation, secure development lifecycles are essential when designing new apps.

But here’s the catch: Existing apps may not have been developed with secure development lifecycles in mind. They may have designed-in weaknesses and flaws such as error messages that contain sensitive data and insufficiently protected data or credential storage. Until these apps can be redesigned, securing them is essential.

To illustrate the risk posed by Insecure Design, Chase Cunningham – Dr. Zero Trust — subjects the fictional Juice Shop that he created on the HyperQube test platform to yet another attack. In a short demo, he manipulates the source code to change session storage values and the tokens that the application uses. Ericom Web Application Isolation (WAI), an innovative cloud-delivered security solution that isolates web/cloud applications and their APIs from cyber-threats, provides controls and policies that can secure apps immediately, as soon as a design flaw is uncovered. In this case, that means blocking session storage data visibility from prying eyes – and itchy trigger fingers.

 

Chase Cunningham

Chase Cunningham

Chief Strategy Officer | Ericom Software
Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.